Cybersecurity Assessment

This form has no submit button. It is only for your personal review.

This is just a sample of the questions that we would ask you during a complimentary, 2-hour comprehensive assessment of cybersecurity readiness in your organization.
At your request, we can also conduct vulnerability assessment and penetration testing.

Company Size (# of Employees):

1. Where does Security fall into your Organization’s Priority List?

High Priority

Medium Priority

Low Priority

2. What % of your IT budget is spent on Security?

Please enter a value between 0 and 100.

3. What % of your IT department works on Security?

Please enter a value between 0 and 100.

4. Have you allocated any budget this year for prevention of CyberSecurity threats or issues?

5. What is your company's overall attitude toward security?

6. Who are the key stakeholders that ensure that Security is a clear focus?

7. Is there a CISO?

Yes

No

Who fulfills that role?

Does the CISO report to a CSO, CIO, CFO, business leader?

8. Has your organization ever engaged in Vulnerability Assessment?

Yes

No

Do you have full time staff or you hire a vendor or third party to conduct Vulnerability Assessment?

9. Has your organization ever engaged in Penetration testing?

Yes

No

Do you have full time staff or do you hire a vendor or third party to conduct Penetration testing?

Full Time Staff

Vendor

Third Party

10. Do you have any Penetration testers on staff currently?

Yes

No

11. Do you have any corporate sponsored initiatives geared towards security/information protection?

12. What methods and tools are you using to handle risk measurement and risk management?

13. Is there a Business Continuity Plan (BCP) in place in an event there is a security related incident?

Yes

No

Is the BCP tested regularly to ensure it is up to date and effective?

Yes

No

14. To what extent is the security program an integrated part of the organization’s broader IT operations, rather than a one-off activity?

15. What security products and capabilities are in place?

16. What methods are used to educate users on internet and information security, and are they checked/tested for follow-up/remediation with phishing tests or similar?

17. How are threats being tracked/managed? Examples?

18. Is there a formal incident reporting and management process to ensure stakeholders are involved? (IT Sec, IT Ops, Legal, HR, PR, etc.)

Yes

No

What is the formal incident reporting and management process to ensure stakeholders are involved?

19. Are there formal procedures to deter employees who might be inclined to disregard security policies?

20. Do you classify IT Assets and Information by its importance/impact on the business?

Yes

No

21. How many domain/enterprise admins do you have?

22. How many total administrators?

23. How many admin accounts are set up?

24. How many are really needed?

25. What is each account used for?

26. Are they allowed to access less trusted downstream resources such as workstations, servers?

27. Do you have projects to reduce number of Privileged Accounts?

28. What safeguards ensure admins have appropriate access?

29. How often are they reviewed for accuracy? (i.e. employee leaves or changes office/position)

30. What is the provisioning/de-provisioning process?

31. Have you mapped existing Service Accounts to a specific owner/team?

Yes

No

32. How many Service Accounts have Domain Admin?

33. What are the requirements for an Admin or Service Account to get Domain Admin rights? What tools?

34. Is there separation of duties in order to reduce opportunities for misuse of information/inappropriate access?

35. What administrative credentials are used on a daily basis? How are they managed?

36. Are Admins required to use two-factor authentication, such as smart cards to assist in mitigating PtH (pass-the-hash) scenarios?

37. Do you have safeguards in place to address pass the hash and credential theft?

38. Have any of your employees ever complained of being a victim of phishing?

Yes

No

39. Do you have safeguards and protection against malware?

40. Do any of your Administrative workstations or administrative servers have direct access to internet ?